Security Rules Fail For SSO/SAML Users and The Group or Other User Attributes Returned from SSO / SAML Provider Are Not Seen in the User Record

When a user authenticates with SAML/JWT/Ticket, security rules based on the attributes from the SSO provider do not work and the attributes are not visible in the QMC under the User record.

Environments:

• Qlik Sense Enterprise, all versions

When a user authenticates with SAML, a list of attributes will be given to Qlik Sense based on what is set up in the virtual proxy.  The attributes depend on the implementation.

However, these User attribute(s) returned from the SSO provider are only kept for the user session and are not stored/persisted in the Qlik Sense Repository Database. Therefore, they do not appear in the QMC like attributes synchronized via a UDC connection (data which is persisted to the database).
 

Resolution:

1. Reference the attributes via user.environment.[attribute name] (not user.[attribute name])
2. View the exact attributes returned from the SSO provider by examining the logs:
   
   
   1. Set the Proxy Audit Logs to the DEBUG level
      
      
   2. After enabling debug logging, the (Trace/Audit) Proxy logs will reveal the extracted attribute(s). No restart is required. 
      
      The default location for this log is in C:\ProgramData\Qlik\Sense\Log\Proxy\Trace\servername_Proxy_audit.txt
      
      Example Headers that will be injected:
      
      [X-Qlik-Security, OS=Windows; Device=Default; Browser=Firefox 50.0; IP=fe80::f0bf:12cb:47cd:2086%14; ClientOsVersion=6.3; SecureRequest=true; Context=AppAccess; role=Domain+Users; role=group5; ] || [X-Qlik-User, UserDirectory=DOMAIN; UserId=user5] || [X-Qlik-ProxySession, b29118dd-4539-4742-ad65-fe307eb10b54] || [X-Qlik-ProxyId, ProxyId=38daa8e0-5330-4581-9f40-49d7418b858f; Prefix=adfs] || [X-Qlik-Trace, cf2e0117-ee82-4d26-bba8-b781fc4ef19e:::]